ECSH33338 - Checking customer due diligence: high-risk situations

This page covers when enhanced due diligence (EDD) and enhanced ongoing monitoring is required for:

  • any high-risk factors identified by the business in its risk assessment
  • any high-risk factors determined by HMRC as the supervisory authority (as shown in published guidance on GOV.UK)
  • false or stolen identification documentation or information provided by the customer (although it would be unusual for a transaction to continue in these circumstances)
  • any other case which by its nature can present a higher risk of money laundering or terrorist financing (ML/TF).

Ensure you also read the general guidance relating to EDD and Relevant Requirements section.  

High-risk factors identified by the business in its risk assessment

The first requirement to apply EDD arises where the risk has been identified by the business. This is required by regulation 33(1)(a)(i) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

You should consider what the business has identified and assessed as high-risk in its risk assessment.

You should next check the business’s policies, controls and procedures (PCPs) include EDD measures to mitigate and manage the higher risk.

The types of checks a business may take are:

  • seeking additional independent, reliable sources to verify information provided or made available to the business
  • taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction
  • taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship
  • increasing the monitoring of the business relationship, including greater scrutiny of transactions.

You will need to understand:

  • who identifies high-risk transactions
  • what the additional measures are
  • where the information is held
  • how high-risk transactions are approved and monitored

You can then ask to see customers involving these risks to ensure that the EDD measures were appropriately applied.

Case study

An art market participant (AMP) has assessed the risk of receiving payments via a third party as a high risk. This was confirmed verbally during the compliance check and is included in the AMP’s risk assessment in writing. It also has written policies, controls and procedures (PCP) for EDD, stating that the transaction must be approved by the nominated officer before proceeding, so that additional checks can be carried out. Whilst testing the records, you recognise that the AMP accepted a third-party payment at the start of the year. You establish that CDD had been conducted to identify and verify the identity of the third party, but no further checks set out in the PCP were conducted for this transaction.

The AMP has breached regulation 33(1)(a)(i) in that it has assessed a scenario as high risk under regulation 18(1) but it had not carried out EDD for this scenario.

Consider that the AMP may have also breached regulation 19(1) in that it did not maintain or follow its policies, controls and procedures on EDD.

It’s important to note that there can only be a breach of regulation 33(1)(a)(i) where the business has identified the high risk of ML/TF. If the risk has not been identified by the business, it is a breach of regulation 18(1). You should also consider whether another breach under 33(1)(a)(ii) or 33(1)(g) is appropriate – see guidance below.

High-risk factors identified by the supervisory authority

The second requirement to apply EDD arises where a high risk of ML/TF has been identified in information made available under HMRC’s published risk assessment (regulation 17) and HMRC’s published sector guidance (regulation 47). This is required by regulation 33(1)(a)(ii).

To understand if this requirement has been met, you must use:

  • the “Understanding risks and taking action…” guidance published on GOV.UK for the sector you are checking. (These in turn link to the UK’s National Risk Assessment/s (NRA) under regulation 16)
  • the sector guidance published on GOV.UK which includes risk factors and links to other published material (such as publications by the Financial Action Task Force (FATF)).

to confirm that risks relevant to the business have been taken into account, using the steps described in the section above for reviewing the risk assessment and PCPs above. Remember, the business should have already taken these into account in its risk assessment. If it has failed to take into account the information provided, you must understand why, for example:

  • has it read the published information?
  • did it understand it?
  • did it seek any assistance in relation to the published information?  
  • did it consider that the information was not applicable to the business?

Where a business has more than one supervisor, based on its activities, you may need to ask the business if the information it has used was provided by another supervisory authority.

Remember to check the information was published at the time the requirement to carry out CDD was present.

Case study

The “Understanding risks and taking action: estate agency businesses” states that there is high risk in super-prime property updated in October 2022. You visit an estate agency business (EAB) who regularly markets and sells what it considers to be super-prime property (established from your questioning and from your record testing), but EDD has not been carried out on any of these transactions. You review the EAB’s risk assessment dated March 2024 and ask the business to explain the steps it took when identifying and assessing risks to its business. You establish that the EAB has not identified or assessed the risk of super-prime property in its risk assessment because it hasn’t read the published guidance since it registered 5 years ago. You therefore explain that the EAB has breached regulation 33(1)(a)(ii) for all super-prime property, as well as regulation 18(1), in relation to regulation 18(2)(a).

For more guidance on corresponding breaches, see specific breaches of customer due diligence.

False or stolen identification documentation or informationprovided by the customer

If the business discovers that a customer has provided false or stolen identification documentation or information, and proposes to continue to deal with that customer, it must carry out EDD measures to ensure information is correct. This is required by regulation 33(1)(e) of MLR 2017.

You may identify this during questioning or record testing. If the business tells you that it discovered that false or stolen identification documentation or information provided by the customer, you should question the business to establish why it decided to continue with the transaction:

  • what was the documentation and information in question?
  • what are the details surrounding this customer or transaction?
  • when was the documentation and information provided?
  • who provided the information and how it provided?
  • how did the business discover it was false or stolen?
  • when did the business discover it was false or stolen?
  • what steps did the business take when this was discovered? Did it consider submitting a suspicious activity report (SAR)?
  • did the steps taken manage and mitigate the risks?

This list is not exhaustive.

To test whether the EDD measures are appropriate, follow the general EDD guidance.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Case study

A trust or company service provider (TCSP) takes a copy of its customer’s ID to verify identity and obtains information about the customer as part of its as part of its CDD procedures. The TCSP discovers that the customer has provided false information but considered it was an administrative error and decided to continue to deal with the customer. Following results of your own checks on open-source information available, you confirm that the information was indeed false. You ask the business what additional measures it took and establish that the TCSP did not take any steps to check information from independent sources.

The TCSP has breached regulation 33(1)(e) in that it did not take any further steps to understand why the customer provided false information and continued to deal with the customer. You must also establish whether the TCSP submitted a suspicious activity report, as well as considering any corresponding breaches.

Any other case by which its nature can present a higher risk of money laundering or terrorist financing

Regulation 33(1)(g) extends the EDD requirement to any other case which by its nature can present a higher risk of money laundering or terrorist financing. You should use this sub-section where (a) to (f) do not apply.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Take time to review all of risk factors in regulation 33(6) so you can recognise if there are any other risk factors present when testing transactions. Some common risks are where:

  • a customer is a business that is cash intensive
  • the product or transaction is one which might favour anonymity
  • the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as an electronic identification process which meets the conditions set out in regulation 28(19)
  • new products and new business practices are involved
  • there is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or of rare scientific value
  • there are geographical risks, such as countries identified by credible sources as having significant levels of corruption, or are involved in the production and supply of illicit drugs
  • countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations
  • countries providing funding or support for terrorism.

However, as above, you must make sure these are not shown in the individual sector risk assessment under regulation 17, where the breach will fall under regulation 33(1)(a)(ii) above.

For example, if a money transmitter has recorded that the purpose of a customer’s transactions was to support their family in the country of destination, does the amount and frequency of transactions fit with the relative cost of living standards in that country. If it appeared that the customer had sent more money than their income allowed, did the business ask additional questions about the purposes of the transactions, undertake enhanced due diligence to understand how many family members there were and whether the activity would continue in a similar manner for a specific period of time.

To test whether the EDD measures are appropriate, see the general EDD guidance. For more guidance on corresponding breaches, see Specific breaches of customer due diligence.